Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Resets Worse Than Reusing Old password

Posted by samzenpus on from the one-password-when-you're-born dept.

narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"

39 of 420 comments (clear)

  1. HA! by Dice · · Score: 5, Funny

    Fooled them. My first car was a Chevy!

    1. Re:HA! by CaptainPatent · · Score: 5, Funny

      Fooled them. My first car was a Chevy!

      *database updated*

      --
      Well, back to rejecting software patent applications.
    2. Re:HA! by evanbd · · Score: 4, Funny

      Mine was a Ford'); DROP TABLE Cars;--.

  2. Preferences are stable? by CorporateSuit · · Score: 5, Funny

    Bridgekeeper: Stop. What is your name?
    Galahad: Sir Galahad of Camelot.
    Bridgekeeper: What is your quest?
    Galahad: I seek the Grail.
    Bridgekeeper: What is your favourite colour?
    Galahad: Blue. No, yel...

    --
    I am the richest astronaut ever to win the superbowl.
    1. Re:Preferences are stable? by Perf · · Score: 2, Funny

      Bridgekeeper: Stop. Who are you?
      Politician: Defender of the public, famous war hero, community organ grinder...
      Bridgekeeper: What is your quest?
      Politician: I seek the Presidency.
      Bridgekeeper: What is your personal stance on illegal immigration, foreign policy, abortion, the war on terror, etc.?
      Politician: Uhmmmm... It's very wide. Let me check the polls.

  3. Those are all dumb and easy cracks by Average_Joe_Sixpack · · Score: 3, Funny

    I just use the current month and then the year.

  4. Password reminder hints problems by hack++slash · · Score: 3, Funny

    I recently bought a domain+hosting space from a well known site, one that I don't ever recall buying domains from in the past (even searched through years worth of emails - nothing), and when signing up for a new account I was unexpectedly greeted with "that email address is already in use".

    So I did went to the password retreival page, entered in my email address and it asked me the stupidest hint question (for me) ever: "What was the make of your first car?", it didn't make sense at all because I still haven't bought my first car!

    --
    To do something right, you often have to roll up your sleeves and get busy.
  5. Re:pff by jgtg32a · · Score: 5, Funny

    My mother's maiden name was 12345

  6. 'Other' Questions by Zekasu · · Score: 3, Funny

    Many websites allow you to use your own question, rather than a preset one. "What is the movie you'd most relate to your high school career?"

    "What was the name of craziest teacher you had?"

    Better yet, "On Tuesday mornings, which newspaper did you always use to cut out little robot people?"

    1. Re:'Other' Questions by quintessentialk · · Score: 5, Funny

      Or, "Where did you bury the body of your eleventh victim?"

    2. Re:'Other' Questions by uncqual · · Score: 3, Funny

      Oh yes, it's easy to remember now... Just wait until you're working on your second hundred victims.

      --
      Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
  7. Re:I NEVER use these fields by LighterShadeOfBlack · · Score: 4, Funny

    My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.

    So you think someone is going to hack the login database for a bank and is going to be focusing on the fact that your first pet's name was Mittens?

    --
    Spelling mistakes, grammatical errors, and stupid comments are intentional.
  8. Comment removed by account_deleted · · Score: 4, Funny

    Comment removed based on user account deletion

  9. Re:pff by Anonymous Coward · · Score: 2, Funny

    ...you insensitive clod?

  10. Too bad this guy wasn't you ... by Krishnoid · · Score: 2, Funny

    Exactly how excellent is your memory, then? This kind of corner-case made me reconsider best-practices password security.

  11. Wait a minute... by PC+and+Sony+Fanboy · · Score: 3, Funny

    Yes, it is available through public record. But that isn't enough! What if your siblings like to play pranks on you, or if your mother is trying to get you to move out of your basement?

    How do I protect myself from THEM?!

    1. Re:Wait a minute... by darkpixel2k · · Score: 4, Funny

      No one will ever guess that I just pick a question at random and give all the same answers.

      Mother's Maiden Name: lando-calrissian
      Favorite pet: lando-calrissian
      Year you were born: lando-calrissian
      Best friend: lando-calrissian

      Guess that, suckers.

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    2. Re:Wait a minute... by Trigun · · Score: 2, Funny

      I love the ones that allow you to choose your own questions as well. I always pick ones that I know someone in IT would be able to pick, but aren't really from the IT field, per se.

      "What is the airspeed velocity of an unlaiden Swallow?"

      "Oh fiddle-dee-dee. That will require a ..."

      It allows my employers to choose a successor should I pass on, and my brother a chance to clean out all the incriminating evidence from my web presence should he need to.

  12. Re:Well, at least's that's a little secure by LighterShadeOfBlack · · Score: 3, Funny

    It's pretty hard for a virus to read what's beneath the desk. Not impossible if the virus can control your employer's security cameras, but difficult.

    If they're under your desk I don't think those are security cameras.

    --
    Spelling mistakes, grammatical errors, and stupid comments are intentional.
  13. Re:I NEVER use these fields by jcgf · · Score: 4, Funny

    He uses post-it notes stuck to his monitor.

  14. Re:pff by punterjoe · · Score: 2, Funny

    I'm with you. As far as these security bots are concerned, my mother's maiden name was sodoff. I imagine people just think she was Russian & not that I'm cursing at the stupid question. :D

  15. Re:pff by BigDaddyOttawa · · Score: 1, Funny

    Especially if your mom is the one trying to "hack" in to your bank account.

    --
    Sig? SIG? We don't need no stinkin' sig!!!
  16. Re:pff by Anonymous Coward · · Score: 1, Funny

    Are you sure that wasn't just something she said shortly after getting married?

  17. I accidently stole a guys gmail account by ozphx · · Score: 2, Funny

    Couldnt login! Was trying to login to the wrong username (who shared my name), and the guys secret question was "lager?". Of course the answer was "yes". :/

    That probably makes me guilty of all kinds of nasty shit by accident :P

    --
    3laws: No freebies, no backsies, GTFO.
  18. Re:Even worse... by Tubal-Cain · · Score: 2, Funny

    Let me guesss... 42? 1337? 3.141592653589793helpimtrappedinauniversefactory7108914...?

  19. Re:Even worse... by Nushio · · Score: 4, Funny

    Thats why I use random gibberish as a question, and rot13 that and use as the answer.

    Posting anonymously because I don't want you to look into my accounts and attempt to get into them!

    --
    Check out Unsealed: Whispers of Wisdom! http://unsealed.k3rnel.net It's an action-RPG about Open Sourcerers.
  20. Re:Even worse... by Nushio · · Score: 5, Funny

    OH, so I'm supposed to mark that checkbox up there?

    --
    Check out Unsealed: Whispers of Wisdom! http://unsealed.k3rnel.net It's an action-RPG about Open Sourcerers.
  21. Re:Are there any good solutions? by zappepcs · · Score: 3, Funny

    Dude, you don't get it ROFL
    If you can't get logged in, when you call their help desk they ask you the questions! You have to give some soft spoken girl the answers... ROFLMFAO

    I thought about 'eatshitcunt' as an answer, but that just wouldn't work out right

    --
    Support NYCountryLawyer RIAA vs People
  22. I don't know about you guys... by thatskinnyguy · · Score: 4, Funny

    ...but my password is always ); DROP TABLE user_accounts;

    --
    The game.
  23. Workaround by d_54321 · · Score: 3, Funny

    I've got a great work around.

    In fields like "Mother's maiden name:", just enter "mothersmaidenname".

    Not derivable from any of your public records, and nobody would ever guess it.

    Try it.

    --
    Support the FairTax
  24. Re:pff by Anonymous Coward · · Score: 1, Funny

    My mother's maiden name was 12345

    My mother's maiden name was Robert'); DROP TABLE Customer;

  25. Re:Just lie! by Nebu · · Score: 3, Funny

    Just lie on these questions! Put in answers you would know, but aren't factually correct.. =)

    I have enough trouble remembering the factually correct answers (when the hell is my birthday again?), nevermind the lies.

  26. Re:pff by ksd1337 · · Score: 2, Funny

    Pfft. I just list all my account details for websites in a CSV file, then upload it to BitTorrent as "18 yr old bj porn xxx strip". That way, I'll always be able to download it.

  27. Re:Even worse... by eugene+ts+wong · · Score: 5, Funny

    You're lucky. I'm still confused by what happened to me.

    He said, "Mr. Wong, your confirmation question is, 'What did Eve first say, when she saw Adam?'.".

    "Hmm, that's a tough 1."

    "Yes, that is correct. Now, the deciphering question is, 'How does a foobar ask a question?'.".

    "What?"

    "Yes, that is correct. Will there be anything else for you today, Mr. Wong?".

    --
    testing out my trending skills
  28. Whoa... Peter, is that you?. by mr_mischief · · Score: 2, Funny

    Is your hometown, by any chance, Quahog RI?

  29. Re:Lie by greg1104 · · Score: 2, Funny

    Making up your own answers like the ones you suggest might seem fine, but just you wait until someone at the bank challenges you on the phone with to confirm your answer to "what's your favorite sport?" and you have to answer "Moorcock".

  30. Re:Are there any good solutions? by Anonymous Coward · · Score: 5, Funny

    Well the easy solution is to use a random string of characters.

    "My first pet was 4fgTY2k11."

    Make sure you use numbers and both lower and upper case letters at least.

    How are you gonna remember this in 10 years though? Easy! Store it in a file called "passwords.txt" in your My Documents folder. Works for me!

  31. Re:pff by Catil · · Score: 5, Funny

    Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot)[...]

    Why do you exclude Slashdot? People don't gain anything compromising your account here. I use the same pw on all sites...

  32. Re:pff by Catil · · Score: 5, Funny

    HAHAHA Disregard that, I SUCK COCKS.